Bug 1661435 (CVE-2018-11987) - CVE-2018-11987 kernel: Double-free in ion_system_heap.c
Summary: CVE-2018-11987 kernel: Double-free in ion_system_heap.c
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-11987
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1661436
TreeView+ depends on / blocked
 
Reported: 2018-12-21 09:06 UTC by Andrej Nemec
Modified: 2019-09-29 15:04 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-09 14:00:31 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2018-12-21 09:06:03 UTC
A vulnerability was found in the Linux kernel if there is an unlikely memory alloc failure for the secure pool in boot, it can result in wrong pointer access causing kernel panic.

References:

https://www.codeaurora.org/security-bulletin/2018/12/03/december-2018-code-aurora-security-bulletin#_CVE-2018-11987

Upstream patch:

https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=5e9ffcfa152ecb2832990c42fcd8a0f2e63c2c04

Comment 1 Nicholas Luedtke 2018-12-21 12:29:06 UTC
Based on the references, this looks to be in android drivers. Can you confirm the upstream kernel is affected?

Comment 2 Andrej Nemec 2018-12-21 13:12:17 UTC
(In reply to Nicholas Luedtke from comment #1)
> Based on the references, this looks to be in android drivers. Can you
> confirm the upstream kernel is affected?

Hi Nicholas, we are currently analyzing the issue to see if there's any chance it could affect our kernels. We'll update the bug with the results afterwards.

Comment 3 Salvatore Bonaccorso 2019-01-03 15:19:58 UTC
Andrej, do you know if there was any conclusion on the affected status for affecting mainline kernel?

Comment 4 Andrej Nemec 2019-01-07 08:57:44 UTC
(In reply to Salvatore Bonaccorso from comment #3)
> Andrej, do you know if there was any conclusion on the affected status for
> affecting mainline kernel?

Hi Salvatore, unfortunately we weren't able to dig into this further because of Christmas. There will be an update to this bug as soon as analysis is done.


Note You need to log in before you can comment on or make changes to this bug.